Sharing Sickness Report.

if this changes they will obviously carry out a review
You seem to be interpreting the question differently to everyone else.

There was never a question about a right to carry out a review, or receiving a report about their fitness to work / not to work. That happens all the time.

The question is about the sharing of specific medical information, which is only allowed in very specific circumstances.
 

You should ask for a copy of the consent form you signed also.
 
An employer does have a right to know the nature of an employees illness in certain circumstances and this has been confirmed by the Data Protection Commissioner. This is restricted to grounds of Health and Safety (so for example, if an employee was diganosed with Coroanvirus an employer may have the right to know) or if the nature of the employees job meant the illness would put them or others at risk of injury.
 
The employer has the right to know what measures they should take to ensure the health and safety of their other employees and customers but they do not have the right to know the details of an illness. For example if the employee has a contagious illness they the employer has the right to know that it is contagious but they have no right to know what the specific illness is.
 
Decent write-up on finding the right balance here. More information from the OP would be required to make a call here, but of course they may not want to share that level of detail in case they are identified.
 

That's not correct.

The exact quote from the 2013 DPC annual report states
in certain very specific circumstances a doctor may be legally obliged to report certain illnesses to an employer for health and safety reasons and we recognise the need for this practice, particularly in the case of contagious diseases
 
Sure, if they have smallpox or something like that but other than "certain very specific circumstances" where they "may be legally obliged" they just give a sick note stating that the person cannot attend work due to a contagious illness. They inform the employer in cases where there is a risk that other employees may be carrying a virus so that they can be tested. In practical terms, and in the context of this thread, that doesn't apply.
 
Sure, if they have smallpox or something like that

That's my understanding too. It's all about proportionality and the duty of care of both the medical professionals performing the assessment and the employer. The flu virus is contagious, but there is no suggestion that an employer has a duty of care to warn other staff about the presence of that in the workplace, but in a workplace that may have staff who are pregnant, then the employer has to inform staff of the presence of potentially dangerous infections such as measles, mumps, etc..
 
Decent write-up on finding the right balance here. More information from the OP would be required to make a call here, but of course they may not want to share that level of detail in case they are identified.
I agree more Information is required before making a call, just remember line managers supervisors/employees can be personally held responsible for not taking actions when its comes to Health and safety ,from time to time they have to make sure the hold the correct end of the stick if they see something coming down the track they could be held responsible for if not correctly informed and take action so they are protected,
 
Last edited:

It is not the managers call what information they need. That is why company's use doctors and occupational therapists. And if a manager or employer does get medical information for some reason, they should be VERY VERY careful what they do with it. Sharing it with a 'consultant company' for clarifications seems to me to be a pretty clear GDPR breach. If they wanted clarifications, they should have gone back to the assessor that did the assessment.
 
Sharing it with a 'consultant company' for clarifications seems to me to be a pretty clear GDPR breach.

Again, we don't know what information was shared with the consultants or what their relationship was. Some companies have retainers for HR / legal advice for situations like this where they don't have the expertise in-house. Asking another company what the appropriate response to an employee's medical situation does not constitute a GDPR if it was appropriately redacted.
 

I agree we don't have enough information but if medical records are being shared between manager/HR/Legal (in-house or on retainer), there has be a policy as they are processing the employees personal data. It doesn't matter if it is redacted or not. The employer still has to show they had a legitimate reason for processing the medical information and that the employee clearly gave specific and clear consent for it to be processed. And it this case, it doesn't appear to have happened. Consenting to do the examination and having the results shared with your employer would not be sufficient. The employer must have provided a Data Protection Notice. Would be interesting to know what it says.
 
No issue about privacy of data - that’s the law. However - if the condition affects work ability then the manager / hr has a right to know that a condition exists. I am aware of many staff who have ‘hidden’ conditions and this led to issues with their ability to work effectively - including significant mental health issues that could have easily been supported by the employer - manager if they were aware of same for the mutual benefit of all. I am also aware of people with hiv/ hep infections that do not affect their ability to work - so manager / employer has no Right to know, except to facilitate regular medical check ups , etc.
 
For some reason cmalone you keep trying to justify your first answer but you called it incorrectly.

Also we know the employer is relying on consent so that’s a breach.

There is no indication hear that OP falls into the extremely low number of marginal cases where the details the employer would be entitled to that might indicate an illness or condition.
 
Not only may the employee have an issue with regards to his employer, but there may also be an in appropriate disclosure by the examining doctor if the employee did not know he or she was going to disclose it to the employer. The examining doctor acts as a controller also.
 

They only have a 'right' to know under extremely limited circumstances. I presume at this stage we have all worked with people who have suffered from some sort of mental illness. Most people will volunteer this information to management and colleagues as it is very difficult to avoid it. However, the manager/employer does not have a right to know about it. If the employee is continuously out sick or is unable to perform the job as expected, then the employer can take steps but to suggest the someone has a 'right' to be told would imply that the employee could be in trouble for not disclosing it. This is not the case. Obviously there could be issues if something isn't disclosed during a pre-employment screening if asked directly.

Vast vast amount of employer/employee relationships are built on trust. I certainly never worked in a place where I wouldn't have been comfortable sharing medical details if I needed support but the rules around medical information are there for a reason and I fully understand why people do not want general detailed medical information about themselves shared outside the medical profession who are governed by doctor/patient confidentiality.
 

If the employee's identity has been redacted from the information shared, GDPR no longer applies. The company is entitled to process and share such information as they see fit.
 
If the employee's identity has been redacted from the information shared, GDPR no longer applies. The company is entitled to process and share such information as they see fit.

No they are not. Medical information is classified as sensitive personal data. They are not allowed to process it as they see fit. They need clear consent as to how they are going to process the data and have a legitimate reason for doing it. Telling someone they have shared the data redacted or not without getting their clear consent is a breach of GDPR. Redacting the data doesn't change that. Giving consent to an medical exam is not giving consent to the company to process that data for GDPR. If the company is handling this data, they are required to have a policy document outlining how they will handle sensitive personal data.
 
Medical information is classified as sensitive personal data.

That is not correct, the legislation is very clear that such data is only covered where it is contains sufficient detail to identify the individual concerned. Once detail has been redacted from a file so that the individual is no longer identifiable, GPRD does not apply.

It would be ridiculous to think that GDPR would prevent a company seeking advice from a specialist as to how they should handle a scenario where an unidentified employee contracts a contagious disease. The data protection commissioner ever went further in the 2013 report as referenced above.